Slashdot videos: Now with more Slashdot!

View

Discuss

Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).

snydeq writes "First it's letting users manage their own PCs and now it's sanctioning the shadow IT projects they do on the down low: 'You probably know them. They're the ones who installed their own Wi-Fi network in the break room and distribute homemade number-crunching apps to their coworkers on e-mail. They're hacking their iPhones right now to work with your company's mail servers. In short, they're walking, talking IT governance nightmares. But they could be your biggest assets, if you use them wisely. The reason superusers go rogue is usually frustration, says Marquis. "It's a symptom of the IT organization being unable to meet or even understand the needs of its customers," he says. "Otherwise, it wouldn't be happening." The solution? Put them to work.'"

Depends on the company but generally because they were told to have one, not because the department itself operates well. Honestly, while I could fully be a "rogue superuser" I prefer to let them do most of their work because I just don't get paid to do what they get paid to do.

Will I install applications, use applications and write applications as necessary to get *my own* job done? Yes. Will I go out of my way to do it so that others can do their job better? No. I am the first to tell someone who sends me an IM that asks, "Bill, can you come down and help with foo?" to go and submit an IT work order and wait it out. But I'm certainly not going to wait for them to come and fix my machine when I know full well I can do it myself without watching work backup for minutes, hours or days.

Exactly. I'll generally deal with my own machine (up to a point) and will take full responsibility for any issues that might arise due to my actions. That said, if I encounter a problem, I'll do what I can to take care of it within the rights limits of what IT has given me. When I go beyond that I know that I'm on my own and can't particularly expect IT to fix it if I screw something up.

I think most good IT departments are okay with allowing a certain amount of freedom. Where I work we don't give out admin logons, but we do allow some users to admin their local machine, and we do allow some users the privileges to do basic crap on other people's machines. If you have a guy who is willing and capable of doing annoying little changes for people and taking some of the headache off of the IT staff, more power to 'em.

But that stuff should always come with a "screw it up, and you're going to have to fix it yourself" caveat. If you pick your people well, then they should be okay with that in the first place.

Well, they broke the machine didn't they? With privilege comes responsibility. The same would apply to me, if I hosed my development equipment...I've done it before, and it's just a cost of doing business.

I'm in favor of allowing the leeway, but its a two way street. When someone like that screws their machine, it's usually not pretty, and it's not the sort of thing that can be easily fixed. I'm happy to restore an old image if you asked me to make one. I'm happy to recover files if it's possible.

But I'm not responsible for rebuilding a machine that has been rendered non-functional by a user who insisted that he knew what he was doing. I always make this stuff clear when a manager requests these sorts of permissions for one of their people. We support the standard configuration, once you deviate from that, all bets are off.

If you build a system with tons of unsupported software, I am not responsible for reinstalling and reconfiguring all that software. Period. And that is absolutely a position that is supported by my boss and my bosses boss, and the only guy higher than that only talks to shareholders.

I'll restore an image. I'll recover files, though frankly they should already be on the network share. I'll give you a fresh install. That's it.

Why, you ask, would any corporate IT support such a radical position? Because that guy's time isn't worth more than mine.

We've all got jobs to do and if I have to spend a week fixing a screwed install (and it'd have to be me or one of the other senior guys because the regular techs aren't equipped to do it), then a weeks worth of my work won't be getting done. That's more unacceptable to everyone involved than making one guy reinstall his own unsupported apps.

If you're going to give them any extra permissions, they have responsibilities there. If they can't be trusted not to make a complete mess of it, then they should never be granted those permissions in the first place.

The whole goal should be to make things more efficient and get more work done. If those things aren't happening, you're doing it wrong.

If you build a system with tons of unsupported software, I am not responsible for reinstalling and reconfiguring all that software. Period. And that is absolutely a position that is supported by my boss and my bosses boss, and the only guy higher than that only talks to shareholders.

That's true today, but don't expect the status quo to last. This is no different from when people started bringing PCs into the office 25 years ago. Corporate IT said, "no way...use the mainframes", and the users brought PCs a

In the two examples cited, I could easily see situations where it'd be reasonable to say 'stop it or you're fired'. Setting up a random WAP that nobody in IT knows about can result in random people in the parking lot having access to your network, and storing company mail on an ipod is a massive breach waiting to happen - the only reason blackberries are allowed most places is because they can be bricked remotely.

My tone? You started this conversation accusing me of slighting Joe User, which has nothing to do with my original statement, and then you persist in trying to point out my "hypocrisy" in saying that users with special privileges won't get special treatment!And no, I don't believe that it is IT's job to spoonfeed users. That is old thinking. You should be teaching them to do basic tasks themselves. 70% of the IT work here is in developing and deploying new systems, and the rest of the work is split between

Agreed,I allow users to be a local admin or power user on their machine for two reasons:

Important for me:

1. We are STRICT about A/V and system updates.

Important for them:2. Users often times (when given a laptop) start to use the laptop as their primary machine. They will use it to do their taxes, do all their online shopping/browsing/webmail etc. and use it for entertainment etc... It consumes too much of my departments time dealing with little complaints about apps like IM FTP webex etc...

Will I install applications, use applications and write applications as necessary to get *my own* job done? Yes. Will I go out of my way to do it so that others can do their job better? No. I am the first to tell someone who sends me an IM that asks, "Bill, can you come down and help with foo?" to go and submit an IT work order and wait it out. But I'm certainly not going to wait for them to come and fix my machine when I know full well I can do it myself without watching work backup for minutes, hours or days.

Agreed, it has been my personal experience that tier-1 help desk people are usually of the college intern type. While they may be knowledgeable overall it takes too much time to get things done. Why put in a support ticket, or proposal for a new software package when I can do my own fixes, write my own apps, or use a FOSS to get things done quicker and more efficiently.

This is far different from giving me admin status over the network. I think it also boils down to tow different kinds of people, some

Agreed, it has been my personal experience that tier-1 help desk people are usually of the college intern type. While they may be knowledgeable overall it takes too much time to get things done. Why put in a support ticket, or proposal for a new software package when I can do my own fixes, write my own apps, or use a FOSS to get things done quicker and more efficiently.

From the other side, the problem with people just like you is that when you leave, your replacement will not be hired for his ability to write apps or use FOSS. So the IT department will no doubt get a call from your now irrate manager or replacement demanding that IT support your systems.

I've seen this so many times within my own organisation, departments or teams have their IT guy who have historically done all the IT for them, doing a fine job of it. Then they leave, then the IT department have to

I just sent this article to my IT director and asked if she contributed to this article. This is basically what happened to me and they did put me to work, with an extra salary (albeit a small one since i'm only 10% IT)

We did this at my employer, one of the departments decided they wanted to maintain their own desktops as a group. As no self-respecting admin actually enjoys taking care of desktops, we let them do it.

It wasn't a total break, they're still subject to the site's security policies and their home directories still mount from an nfs server we maintain, but no one in our group has had to install a machine or fix a dead hard drive in 5 years. They understand their needs far better than I ever could, so it really was a win-win situation.

It's worked surprisingly well, the admins are all volunteers from within the group, and they even maintain a batch system that all the workstations use for running jobs.

If any company has a group of people willing to take on that kind of responsibility, I'd say it deserves serious consideration.

Well, this rogue moron has to install stuff on his own, because our IT support department treats the development teams as if we don't know what we're doing, and applies the same policies for business users to us.

How can I be expected to do my work, if I can't even install an IDE, because it doesn't fit the standard image they have?

Anyway, it's more a problem in the structure I have here than anything else. I just wanted to state the point of view from a rogue moron.

So basically what you're saying is that at every major place you've worked at, you've had an idiot. You know what, we've all had a few of those, and for some of us, some of those idiots were in the IT department.You ask why I should be treated differently? I am under the assumption that they hired me for my specialty, and that I have a base knowledge of what I'm doing. If the IT department fails to give me to tools I need, how am I suppose to be effective?

Because for every one of you, we have a hundred
people who can barely manage to get around in MS Office, and
most dangerous of all, three or four people who think
they know computers (yet strangely manage to cause more
restore-from-backup sessions that all other users combined).

That said, if I didn't work in IT, I sure as hell wouldn't
do the same work unrelated to my job description. Dealing with
helpless coworkers without having it go into my pay or performance
reviews? Not bloody likely!

[i]says Marquis. "It's a symptom of the IT organization being unable to meet or even understand the needs of its customers," he says. "Otherwise, it wouldn't be happening." [/i]Actually in short...the reason is because IT are often understaffed, are required to follow ridiculous internal legislation, and many times are under-funded, and required to maintain a certain level of security...the latter of which is often BREACHED by these so-called power-users...which are nothing more than people wanting control

Yes this is the main problem with the concept of "embracing super users"At several companies people outside IT have floated the idea that there should be a departmental super user who people within the department can go to with issues. The idea being that a highly technical member of their department would understand their specific departmental tasks/duties/needs and be able to support them on "little or common" it requests.

The reality is that this effectively makes that person a member of IT - and the sad

This is called the learning curve.
There seems to be
a) A refusal to admit that you everyone needs to learn stuff up to the level of their position
b) A refusal to admit that intellecutally curious people tend to learn beyond their stated position, and could generate efficiencies that start to obviate some of the other positions in the organization.

Yes, they're end users. But they don't sound like customers. They sound like employees.

In which case they should toe the god damn line, because they're fucking shit up for other people.

Yes, enterprise IT can be frustrating. But your cheeky little wifi hack maybe just took down three buildings of network, resulting in thousands of dollars of lost productivity. Actually happened, in my org - 100% true story.

I don't like meaningless limitations any more than the next guy, but these know alls who think they're 'superusers' because they can set up a wifi network need to lay off - they don't have the big picture, they just think they're being clever. Guerilla? Arse-scratching chimp, more like.

Those types are like the annoying dicks in class who distract the instructors with unrelated questions just to show the rest of the class how smart they are.

I'm not doing it to show the class how SMART I am; I'm doing it to show the instructor where I'm LACKING. If we're covering a section that I already understand and I can tell we're near the end but I have a question about the topic that isn't high level, ones that's more specific to my real world problems that forced me to go to a class, how does that

Note that I said "unrelated questions". Say, hypothetically, we're in a Java class: if you're prattling on about destructors and pointer arithmetic then you are wasting our time -- it's like, "Wow, you know about a feature in another programming language, you must be an elite haxxor". The problem with some know-it-all chumps is that they take time away from those who have questions and want to actually learn something from the answer. One can be a know-it-all without having to prove it all the damn time.

Then you probably aren't the person the parent post was talking about. There's nothing wrong with asking a question about applying the material you are learning to the real world, *if* it's a legitimate question, and you are asking so you can learn something.

The parent post was talking about people who already know the answer and are asking questions just to show how insightful they are. I've seen it, and it's annoying.

It's not to get a pat on the head--there tend to be three reasons people poke their head up in class. (1) They're stuck in the overachieving freshman mentality, where they're effectively talking heads who aren't necessarily that productive. (2) Class participation counts towards their grade, and they need to spew up something once or twice a class to make sure they get that percentage of their grade. In terms things that are only tangentially related, maybe it's a choice between vaguely interesting BS an

If they're truly breaking things, this means your network is so poorly designed that they are even capable of it. Get off your BOFH horse and do a decent job before yelling at people who are just trying to do their job reasonably.

My mother's laptop takes over 5 minutes to boot because of all of the scripts and login items the company forces her to run. This is not an uncommon occurrence because the various shit also prevents it from waking from sleep about 50% of the time. It's so locked down she can't install anything - not even a driver so she can plug in her company-supplied Sprint EVDO card for remote access. Nope, she has to drive into the office (about an hour away) just so they can pop in the card. Need to change an IP setting for the home wifi network? No-can-do (truly, the firewall and VPN cannot be trusted against the awesome power of the home LAN...). Maybe use something secure like Firefox instead of IE 5.5 (yes, 5.5!). Nope, can't install it. Use a USB memory stick to copy a file? Nope.

"Enterprise IT" policies are almost always to make IT's life easier at the expense of the end user. Now who was supposed to be supporting whom?

If they're truly breaking things, this means your network is so poorly designed that they are even capable of it.

I knew someone would come back with a smart comment like this, but I'm not yet jaded enough to include disclaimers in my posts. For your benefit: the wifi router in use was very poorly designed, using some horrific bridging tricks. Shutting down three buildings was actually an automatic fallback, to protect our larger network.

"Enterprise IT" policies are almost always to make IT's life easier at the expense of the end user. Now who was supposed to be supporting whom?

Now this is exactly what those chimps with their cheeky tricks believe. But in any decent organisation, of which I'm fortunately part, the people at the top really do care about supporting users, to our own convenience. It's our job, so we get it done. And nothing gives us greater satisfaction that a system that runs for the benefit of its users.

The job is supporting users, and that's what we do.

And that just precisely means making decisions about what can and what cannot safely be allowed in certain circumstances, and the sheer size of the operation means not being able to turn on a dime if somebody wants a completely different config. That's the way it is. We're not being unhelpful, we're making sure you don't butcher things for every other person in the zone by being a smartass.

"Enterprise IT" policies are almost always to make IT's life easier at the expense of the end user. Now who was supposed to be supporting whom?

Actually, both are to be supporting the company. IT does not answer to the end user, they answer to the shareholders, the CEO, board, and the regulators. Supporting the end users only applies if it will support the company to do so.

BTW, if end users can be trusted with admin rights, then why do botnets mainly exist on home user's computers? Those same home use

Yes, there are companies where the IT personnel are on a power trip, but IME, that's the exception rather than the rule. Most of the time, IT's policies are put in place for a reason. We don't want to make your life any more difficult than it needs to be. But when some "superuser" with a super-ego decides to circumvent IT policies by taking data home on a thumb drive, and then loses the drive or posts the data on-line for some reason, we get a mandate to keep it from happening again. When a user connects the company laptop directly up to their DSL or cable modem at home, contracts a new virus that evades the A/V software's detection rules and infects the network, then we take steps to prevent users from connecting to any network we don't control. And when we find our users installing games and P2P software, then we take away the ability to install anything on company laptops unless you can show that you have a bona fide need to do so.

You gripe that "Enterprise IT policies are almost always to make IT's life easier at the expense of the end user." Yeah, maybe. Sometimes it's true. But how long would it take you to change your tune if *you* were they guy getting called out on the carpet because a virus took your network down for two days? How many times would you let a user install rogue DHCP servers on your network before you decided to configure your switches to only allow certain MAC addresses to use given ports? How many times would you give out administrative access to anyone who asked for it, if your users kept breaking their computers because they didn't understand what they were doing?

Quote: If they're truly breaking things, this means your network is so poorly designed that they are even capable of it.

Are you serious? Your entire post is criticizing IT for doing exactly that! Yeah, we can lock down a network so that no one can break it, but to do so, it would be locked down so much as to be entirely inflexible. Your example of your mother's laptop is what happens when an IT department doesn't trust it's users, and therefore tries to build a network so that it can't be broken.

Quote: Get off your BOFH horse and do a decent job before yelling at people who are just trying to do their job reasonably.

If that's all that our users were trying to do, you'd find the network wasn't nearly so restrictive. However, I've seen field techs delete all of the company-provided software so that they could install Quake 3 (no, I'm not kidding...). I've seen users copy warez on the file server. And consequently, I've seen network administrators take away admin rights and block ports on the corporate firewall. The problem is that *most* users play be the rules, but the ones that don't get the IT staff in trouble with management. Therefore, we lock things down so it can't happen again.

There *has* to be order in any society or it becomes unstable and falls apart. In the corporate enterprise network, IT is responsible for creating and maintaining that order, and therefore, IT implements the policies that are necessary to keep the IT infrastructure operating smoothly. Not everyone likes those policies, but believe me, you'd like it a lot less if they weren't there.

Just because someone can plug a device into a data jack does NOT mean they're a "SuperUser".Yeah, that might work at HOME. But in the OFFICE someone (me) has to be responsible for security of our data. That includes YOUR social security number in HR's database.

If you do not like the "restrictions" you are working under, then explain to YOUR boss how much more money you'll make for the company if you get X. And your boss will talk to my boss and I will explain how much it will take to implement X (money, tim

Yes, they're end users. But they don't sound like customers. They sound like employees.
In which case they should toe the god damn line, because they're fucking shit up for other people.

Yes, enterprise IT can be frustrating. But your cheeky little wifi hack maybe just took down three buildings of network,
resulting in thousands of dollars of lost productivity. Actually happened, in my org - 100% true story.

My IT department is fine - I don't see them but once or twice a year and my computer works well enough. But a similar problem to the one you described occurred at the college I'm working on my PhD at. (I heard this story second hand, might be an error or two, but I trust the source) The engineering department wanted WiFi in the building in order to hook up the conference rooms and let students use wireless in the classroom. Seems simple enough, especially in this day and age. A formal request was made. And rejected by IT. Random bitching and moaning. So after a few months of inaction, the engineering department installed a few routers themselves, under the radar.

See, the problem is when IT gets in the way of business. IT is a service, not an administration. So when it starts acting like one, with bureaucracy, with stupid shit to get stuff done (a friend of mine, engineer in another company, had to wait three weeks (!!!) to get an approved, paid for compiler he needed installed on his laptop???) then yes, we go under the radar to get work done, which might I remind you is why we get paid. Apologies in advance if we ever cross paths.

Or worse yet, try to imagine the damage that could have been done if the network had stayed _up_.

If the idea of some yo-yo thoughtlessly bridging your internal network out to everyone in a three hundred metre radius just because he thinks that the blue patch cable clashes with his new Ferarri-red notebook doesn't make you reach for a baseball bat then maybe corporate IT isn't for you.

If the idea of some yo-yo thoughtlessly bridging your internal network out to everyone in a three hundred metre radius just because he thinks that the blue patch cable clashes with his new Ferarri-red notebook doesn't make you reach for a baseball bat then maybe corporate IT isn't for you.

If you properly segment and firewall the network, then this problem is limited in scope.

You can't prevent this sort of thing anyway, because of internet connection sharing/NAT.

Where I work, we have an automated scanner process that scans the ports looking for known access points. When found, the port is automatically disabled (keeping the rest of the network functioning). When we discover a wireless network on campus that didn't get detected, we start doing remote probes to identify it, add it to the config for our automated scanner, and go from there.As to what's being used, specifically, I couldn't tell you. I just know I've seen the trouble tickets when they pop up. I'm in

If I had a dollar for every person that called me because some "superuser" installed a test piece of equipment on my network (against company policy, incidentally) and screwed something up, I'd quit right now and retire in the Caymans.

I've seen rogue DHCP servers assign duplicate IP addresses on our network, I've seen rogue DHCP servers assign IP addresses from a different network on our LAN, and I've seen (multiple times, from the same "power user") two ports on a DSLAM plugged into

Bad attitudes like yours always crack me up. Why? Because, with the exception of the mainframe administrators, it is exactly the kind of user you are complaining about that CRATED YOUR JOB. No, I don't mean users. I mean those Arse-scratching chimps that think they are superusers. The PC in the work place is a direct result of people trying to get computing power under the radar of the mainframe administrators. So, if people had followed your advice 30 years ago, you wouldn't have a job.

Sometimes rogue is the only way to go, especially when the IT organization is huge, monolithic, and anything but "IT at the speed of business".

In our situation it was also a reporting issue. Basically we (I) were tasked with doubling the number of countries we reported for. The process in place already required 2 full weeks of work (often with lots of unpaid overtime). The work couldn't start until the end of the month and had to be done by the 15th. Adding new people would have been stupid and it wasn't an option anyway. We were put in a position that if we "followed the rules" we'd either end up working 20 hour days for 2 weeks, or we'd simply fail to get our work done.

Our corporate IT group was willing to consider a more automated database solution... but after 4 months of meetings they wanted millions of dollars and said it would take more than two years to complete. This was a non-solution.

We then, with the help and advice of another "rogue" developer in the company, went to an external local company who built a very nice solution for $25k. Not only were we able to handle the doubled reporting workload, the actual workload itself went from 2 whole weeks each month to just a few hours a month. We did another round of development, spent another $25k, and folded in two other very time-consuming and error-prone processes into the tool (they only happen 3 times a year).

A few months ago I ran into the IT director that helped propose the multi-million solution and he asked how we were doing. I told him we got a great solution and he asked me to schedule a meeting to show him what we came up with. When the meeting was over, he basically picked his jaw up off the floor and expressed how amazed he was at by the tool and how disappointed he was that the IT organization in our company (a Fortune 500 BTW) couldn't accomplish anything even close to it.

To be fair, our IT organization is very good at huge capital improvement projects that take years to complete. Unfortunately they have no capability to support more tactical solutions that help keep the business going until the big project is going. They are unable to grasp the idea that sometimes you need to make temporary bandaid solutions that will be discarded when "big project xyz" is done. "It's just a waste of money and resources" is their usual response - but they seem to have no concept that the business is hampered and profits are not earned because the lack of any tool, even a temporary one, inhibits the business. You don't need to buy a car to get from the airport to work - sometimes it's okay to spend money on a taxi. IT wants to tell us we can't take the taxi because they're building a car for us - we just have to wait at the airport for 2 years or walk.

But as you suggested, we had buy in from our own director (who was able to shake loose the money for the rogue development) and ultimately, the VP in our "chain of command" is pleased - the quality of our reports has improved dramatically (because we eliminated so much manual work) and we're able to support the additional countries, along with even more detailed/graphical reports.

There are some in the IT group that don't like what we're doing. But my response to them is always, "Let me know when you can provide us a reporting system that does this, this, this, and this and we'll be glad to switch to it". "Oh, well, we can't do that, that, and that..." and they then leave us alone.

"It's a symptom of the IT organization being unable to meet or even understand the needs of its customers," he says. "Otherwise, it wouldn't be happening."

I don't think that's true. Lots of people just want to screw around with things and get an ego boost out of flouting authority or trying to show-up the IT staff. You know, there's always going to be that guy who wants to install games on his PC, and figure out how to tunnel past the porn filter. Maybe it's because he wants those things, but also it's because he gets a kick out subverting the rules. Either way, it doesn't mean the IT staff isn't doing their jobs.

I don't think that's true. Lots of people just want to screw around with things and get an ego boost out of flouting authority or trying to show-up the IT staff. You know, there's always going to be that guy who wants to install games on his PC, and figure out how to tunnel past the porn filter. Maybe it's because he wants those things, but also it's because he gets a kick out subverting the rules. Either way, it doesn't mean the IT staff isn't doing their jobs.Perhaps, and sometimes like many things in li

The biggest problem I see is that the employees who are trying this do NOT understand the full spectrum of the job assigned to IT.Yeah, you CAN find a way around X... but what happens when the lawyers come in and want full records of X?

It isn't just about keeping your computer safe from viruses. Most employees understand the single-user model of computing.

What they do NOT understand is having multiple users hitting a shared resource such as a server.

It's possible for the IT staff to be doing their jobs and still be unable to meet the needs of their customers. Many IT organizations have limited budgets and personnel, so they have to focus on the things they can get done with the manpower they have. But there may still be many needs that can't be met within those limits. That's especially true for small tasks that may be very important to an individual but not so important relative to other bigger projects.

I don't think that's true. Lots of people just want to screw around with things and get an ego boost out of flouting authority or trying to show-up the IT staff.

And lots of us are trying to get our job done without IT constantly getting in our goddamned way and making life a huge pain in the ass.

Over two years ago, I was tasked with developing an internal website (employees only) for my agency, with a few simple apps (like a master calendar). I knew when management said it had to go through IT that it would never get done. It took me a few weeks to design the website and all the scripts (wouldn't have taken me that long if I could have done it in php instead of a

The only people who talk like this are those who write for business-related magazines, or useless middle management types who are at least aware of their uselessness and are attempting to avoid drawing attention to it by making your brain shut down.

Then I envy you. I needed a password to set up a tool I use and it took me two days of begging, persuading and wheedling to get it at one place I worked. The IT "consultant" who was trusted with it - well, lets say that I would not of trusted him with a mop and bucket.

I have - in the past - booted off a Linux rescue CD, mounted NTFS read only and got files I needed from protected folders because some jumped up little officious twit has not known what he is talking about. And was about the image the drive

We've actually moved away from this, fairly strongly. We work in a healthcare organization and having people develop applications on our servers can potentially cause huge issues. While it's possible to create little sandbox areas for them, it's an administrative hassle, and it's always hard to be positive their applications can't cross security lines or impact another application's performance. Then there's the support issues - who fixes their business critical application when they've left or are on vacation? It's like the days when people would make Microsoft Access applications for everything, and then it would be dumped in our lap.

Our reponse has been to staff up to meet customer demand and spent a lot of time bringing other IT folks up to speed on web development. It's worked out fairly well, and the number of times I've been called in to fix a Microsoft Access report or the like has dropped dramatically.

The maintenance thing is definitely one of the biggest headaches...Those fricking Access apps can be a cast iron bitch.With Healthcare I can definitely see getting rid of those guys; HIPPA concerns alone would be a good reason to have only professional applications. The costs of a security leak would be disastrous.

Still, for other businesses, it's harder to squeeze the money for extra FTEs in IT, and some of the slack in reporting especially, will have to be taken up by access junkies who can be slipped ont

The maintenance thing is definitely one of the biggest headaches...Those fricking Access apps can be a cast iron bitch.

Every time I see an Access app I think of how much more sense it would have made to implement it as some kind of web application, even in php. One server, all users. No locking/synchronization issues to speak of (certainly nothing like trying to use a shared mdb file.)

I could implement 99% of the access databases I've seen using a PHP CMS (say, drupal) and in less time, too. They could all coexist and even cooperate and the system could run anywhere you can get php and mysql. (Drupal 7 may be able to jus

If you look back in history, people originally used computers together, sharing access, tips, and source code. Now it's all top down - someone dictates what you'll do and how you do it. You, as the unempowered user, receive prebuilt restrictions, prebuilt computers, prebuilt binaries. You can't tinker, you can't fix, and you aren't even supposed to poke around.

The problems of restriction in DRM, restriction in EULA, restriction by not providing source code, restriction in IT are all the same. Instead of educating users and providing them the ability to solve problems, IT mirrors large software companies and media companies, and removes any control, forcing them to be "stupid." When users can't even diagnose on their own, and are forced to run to IT for the most minor software install, the bureaucracy justifies itself. IT is necessary because it's been made necessary. Dumb down the users and they need someone to hold their hand. But create a community of educated and empowered individuals and people will share information.

In a community of empowered users people don't just share solutions, they create solutions.

And while you're creating this community, your network is busily being infested with malware, unlicensed software and pirated music.

As much as we love to believe that everyone would be an ideal user with just a little education, most people simply do not care about computers outside of the fact that they have to use them for checking their emails and inputting data into "Application X". I admit that I work in the NHS, so there's an abnormally high percentage of IT illiterate users, but I see very few users with an actual interest in learning.

It's not hard to teach people the basics of networking. When you hold people's hands, you make it so they won't have to learn, so they don't. Require them to learn how to fish and they'll be providing for themselves. I know you'll say it's crazy, it's impossible, no normal person could ever learn responsible computer use... but get off your high horse. People routinely learn much more difficult things than using computers - and if they have a motivation to learn how to do things, they will.

It's like antivirus programs. I have no problems with having it installed on my computer, but I DO have a problem with it kicking off in the middle of the danged day when I am trying to work. The problem with some of the power tripping IT staff (hey I am in IT) is that they don't think....what time of day should these run?? They accept all defasults.....and that sucks.

Instead of educating users and providing them the ability to solve problems, IT mirrors large software companies and media companies, and removes any control, forcing them to be "stupid."

I'm all for software freedom, but come on-- users are dumb. The difference between today's users and the "original computer users" is that the latter knew what they were doing. Trust me, training only goes so far. When the nth receptionist this month (where n approaches infinity) installs OMGLinsdayLohanSearchBarAkaComputerDefilerToolbar on the front desk machine, you might change your mind about locking things down.

Let's also not forget-- these are company machines. If my resident computer revoluti

Hmmm. This really seems like an interesting point. It is interesting to notice we're just on the verge of what might turn out to be a revolution in the way IT is done. This isn't the first article that seems to be pointing in a "it's time to change IT" direction. This is all coinciding almost right at the time that Open-Source software is becoming acceptable to end-users. As far as I'm concerned the year of the desktop was 2007.One wonders if perhaps the increasing use of open-source will bring about a

Give me a break. The people that "originally" used computers were mostly CS students that knew the computers inside and out. They could not only build the computers, they could program them as well. That is not the vast majority of users anymore.Users today do not care how their computers work, as long as they do. I can't count the number of times I got a call from someone about an update notification window because "I don't want to mess anything up". Their own home computers are so loaded with crap th

Instead of educating users and providing them the ability to solve problems...

Do you know how much education it takes before people will properly admin even their own machines? Too much, and most people don't care to be properly educated. Most people either (a) don't want to be bothered to admin their own machines; or (b) want to admin their own machines, don't want to spend the time to learn how to do it properly, and then will hassle the IT department to fix their mistakes. Either way, you don't want

If you look back in history, people originally used computers together, sharing access, tips, and source code. Now it's all top down - someone dictates what you'll do and how you do it.

If you look back in history, when you wrote software on an IBM mainframe, it became the property of IBM.

In a community of empowered users people don't just share solutions, they create solutions.

Most of the time they create problems because of a lack of personal empowerment. If you have an idiot and a genius working for you, you don't give the idiot all the passwords, now do you? No. You give him the fucking mop, and let him do the floors, and you keep him as far away from computers as possible.

And I can't get stuff working right. Our monitoring solution (OpenSpew) is managed by a central group so we don't have the ability to know if our changes are being made. So we don't get pages when we need them and we get pages from 2 weeks ago at all hours. When we ask for additional features, we're told it'll cost $20,000 and there's no money in the budget.As a result, the other groups have set up their own monitoring solution and shoot alerts to OpenView. And now we're getting ready to implement our own m

"Put them to work?" I'm not about putting the beatdown on non-it tech guys, but I'm also not about giving them free reign. Isolate them from the bulk of the network, where their antics won't cause problems for the regular users, and impress upon them that they have a level of responsibility for their data and any problems that crop up with their projects. Make sure you bring their managers into the loop and impress upon them the problems that could crop up when their Access and Excel scripting guru runs amok, and then let 'em do their thing.

Oh, and wireless? I don't think so. Messing with network infrastucture is a cardinal sin, and any organization that doesn't have its internal network secured well enough to prevent someone setting up their own wireless inside the building needs to do some serious self-examination. Some things you just do not screw around with.

In my experience, the biggest problem is that the non-it power users don't have the same appreciation for security as the people whose job it is to make sure things are secure. Security is a pain in the ass; no question about it, and a lot of users view it solely as a pain in the ass, with their inconvenience rating much higher in their estimation than IT's "Unreasonable Paranoia". If you restrict those users too much, they're going to spend all their time trying to get around your rules...Same as a child will. But like a child, if you give them a certain amount of freedom inside the rules, then they're much more likely to be obedient. They will understand that the rules are there because they have to be, not just because you hate them and don't want them to be able to do what they want to.

Yeah our network guys just put up a internal firewall around our servers and I had to find a way to let the user use a program similar to Crimson Edit. Crimson will let you edit a file via ftp (it downloads it to temp and when you save it uploads it). Well, we blocked ftp except to a couple brain dead apps (the app still uses FTP for somethings which REALLY sucks). So I had to dig around and find something that let him get his job done, and yet use port 22 via SCP or SFTP. It's only code he's letting fl

I've been on both ends of the IT/user divide. I've administered networks of several hundred machines and am well aware of what some people will try to do with them. In my current position, however, I'm just a regular user. So when people in the department start talking about doing something that IT wouldn't approve of, I can usually explain to them in their terms why it wouldn't be such a good idea. OTOH, there have also been times where I've been called in by my boss to take care of a situation that IT hasn't been able to resolve, but that I've figured out because I face the problem daily. In those instances, I don't mind making a quick lap around the department and tweaking the machines a bit, because I know that it's exactly what IT would be doing anyways if they could be bothered to figure it out. And before someone says anything, I've contacted IT before to explain the problem and the fix. It's just that it's usually such an esoteric issue that they can't even begin to get their heads around it (e.g., font caching issues involving using certain programs in a certain sequence).

That's one thing I see a lot; a lack of communication between the users and IT. They need something, something that we could provide if we knew they needed it, but we don't spend any time up there, and they don't know enough to ask for it.

I've tried things like getting IT people invited to departmental meetings, cross-training the new guys in other departments...Whole lotta nothin has come out of that.

I think in the long run it's jsut going to require that the average user becomes tech savvy enough to know what to ask for, or we start hiring guys whose official role is like "embedded IT"; they work in other departments, but they report to IT.

The old adage that a little knowledge is a dangerous thing applies here. Yes, there are people who know what they're doing and will behave responsibly with a free run of your infrastructure, but the majority are people who just want to install Bonzai Buddy or that cool Bittorrent thing that lets you download movies.Even more dangerous are those who "know better" than the IT department and decide to set up their own services because yours haven't been configured correctly according to some guy they know on I

My last employer had firewalls that only allowed traffic through ports 80, 443, and an unusual port for VPN. I heard they also sniffed unencrypted packets, mostly to watch for viruses and breakins. Some of my coworkers wanted to use IM, although it was banned on the network. So I set up an encrypted squid proxy through my work desktop and home server. My whole team had IM and was able to communicate more efficiently.

One day I got called into the boss's office. He says, "I hear you've installed IM on everyone's desktop." So immediately I think I'm in trouble. Then he says, "Would you mind setting it up for me? How did you get it on the network?" He realized it increased productivity and any personal use wasn't seriously inhibiting work.

The point is don't hinder technology for a whole company only because you're afraid one ignorant user will bring in a virus. If power users want something, it's typically because it'll make them better at their job. Figure out a way to let them have it.

If your last employer was a public company in the US, your IM wasn't blocked because the IT department was bing a bunch of jerks. They blocked it because they're required to log all electronic communication for discovery in case of legal action, and since they can't log IM, they have to block it.

Yeah, I'll get RIGHT on that. And when the share holders or customers ask for documentation as to why the system is down 25% of the time and we tell them "Oh, it's because we gave RandomUserX on the Docks Admin rights to speed up response time on help desk. It's cool, he has his MCSE!" I'm sure I could leverage getting a college co-op before getting the CIO to sign off on letting "Power users" run loose on the network to fix problems.

Sorry - if it's my name on the line for a given piece of equipment, I want control of that piece of equipment. I left a place last February where that wasn't strictly true - and I'm relatively certain my fellow outsourced contractors were br

My work actually is forcing all computers with XP to turn off autorun today. The funny thing is, the reason is that someone had "spyware and/or viruses" installed from the disks.

Really, do you think autorun is the issue here? I think it's safe to say that running Mcafee might not be the best idea to keep a computer safe (I seem to recall Clam doing a thousandfold better job), and also plain old stupidity from one of the users no doubt.

It really depends on the organization. There may be some overriding legal or safety reasons why you don't want to let anyone out of the sandbox: end user apps may not place nice with air traffic control or nuclear plants.;)

On the other hand, some IT departments fully live up to the Dilbert character, Mordac, Preventer of Information Services. My IT department happens to be one of those, and the main consequence of my supervisor's blanket refusal to do anything that bothers him is that everyone, including his boss, comes to me to get things done. And that's okay with my boss, because his real objection is to doing anything unfamiliar, not the fact that it's being done somewhere.

But that's obviously a dysfunctional situation. The problem is that our IT department -- and presumably many others, including some of the snitty, arrogant posters in this thread -- isn't doing its job. By definition, if the IT department is either preventing necessary work from being done, failing to help get it done, or imposing arbitrary obstacles to get out of doing work in the first place, the solution is not necessarily giving end users IT responsibilities; the solution is for upper management to kick ass and, if necessary, hire IT people willing to do their jobs.

Contrary to some of the polarized views I've seen here, IT isn't always the problem, nor are end-users always the problem. Most often, it's a failure of both to work constructively and flexibly together and a failure of upper management to insist that they do.

Of course, if the dysfunctionality in your company isn't going anywhere anytime soon, you may have to look for workarounds, and the solution proposed by the original poster might work in some situations.

...and even I think this is a BAD idea. You want to mess with your own PC, okay - there's some merit there for some people. Mess with the network - hell no. There are too many things that need to get done, and the ability for one person - even an otherwise knowledgeable person - outside of IT to screw things up is just too much of an unknown.

I'm not usually one to chime in on the side of IT, as they often throw out the baby with the bath water, but letting people who's primary function is something other than keeping the network up mess with the network is just a massively bad idea. Screw up a workstation and one guy is dead for a day. Screw up the network and the whole company can go toes up.

I've been a developer since the days that 8" floppies were the network. Currently I'm working on performance improvements for a data warehouse product. Our in-house network is running at 100M, but our customers usually use the product on 1G in order to get acceptable ETL performance. The two test servers were next to each other in the same room. I put in an IT request to set up a 1G connection between the two machines. The response I got was "our network is 100M, can't do it." After repeatedly explaining them how it could be relatively easily done without upgrading the whole building to 1G, and getting the same response, out of frustration I finally went to my boss and said, "here's an $80 switch we could buy that could get it done." We ordered the switch and are now happily operating a collection of machines in that room on 1G to each other. Our IT department is clueless about developer needs-- they assume all employees are only using CRM and office apps. Seems to me the solution ought to be a separate isolated network for the developers that they can hack on to their heart's content, but I suspect few IT departments have the savvy to figure that one out (ours certainly doesn't).

I suspect that most of the developers here have found it necessary to work around our IT department in one way or another. All of us have admin rights on our desktops which is an absolute must for us-- I'm doing things like shutting down and starting up services all the time, installing and uninstalling software, creating users, tweaking settings. I'd be down waiting for IT actions constantly if I had to do all that through them, and I'd bet much of the time they wouldn't understand what I was asking for and couldn't figure out how to get it done anyway.

I can relate to this issue. My co-workers often come to me to fix their email and various other apps that have been screwed up by an incompetent IT staff. I try, I really do try to get my coworkers to call IT if their is a problem, but sadly, they often don't trust them. I have been accused of all sorts of things by various IT employees and none of it true or even provable if it was. The truth is mine is the only computer they are _not_ regularly fixing (or screwing up) here in my office.

First of all, it depends on the context whether this is a good idea or not. In some environments, the IT group is the one and only IT wizard. In others (esp. in companies where IT development and IT research are the core business), the official IT group often is not at all capable of even understanding what the engineers are doing and supposed to do.

I've always worked (nearly 18 years now) in the latter situation. Once upon a time, I was one of those superusers in that I was had an IT degree, but worked in engineering (research, actually) where most of my collegues were non-IT engineers. They were very IT savy at a personal level, but generally missed the wider scope. So far so good. The not so good thing, was that the IT department had no clue whatsoever of what the real business needs in terms of IT were (and neither had the company's management). The consequence was an ever worsening war between IT and IT users, amongst other things resulting in ever more shadow systems. We solved this by establishing a working group that took care ensuring there regular was bidirectional communication between parties (I was one of the founding fathers and later on was the chairman for many years). This worked wonders. (Note: It worked so well, that when I finally left the company, the IT group tried to convince me to stay by proposing that I might join them in quite senior positions.)

Part of the whole concept was to do exactly what TFA says: the real superusers were identified; they earned the trust/respect they deserved; and then gained the appropriate - for our context - access to specific systems. (I personally managed the whole repository of OSS as well as some commercial soft we had installed centrally on UNIX. No, I did not have root, as I designed the complete setup such that I did not need it, but it will also be clear that with that level of access I potentially could access a lot of data and that capturing root would not have been difficult had I wanted. Some superusers can be trusted afterall.) Many succesful applications were developed in the same way: some superuser developed - with the knowledge of IT - a prototype that was taken into production for a larger audience after review by the working group and possibly some clean up by IT.

Actually, all this is nothing new. Strategic alignment between business and IT is a core part of IT governance. So is making sure that IT governance is not a buzzword hidden in a bi-monthly meeting between the CTO and CIO, both of whom generally do not understand the issues, but that it is something that is built into the whole system at all levels. And yes, this includes the superusers (at least the capable ones).

Concluding remark: I've since obtained an MBA. As part of the IT course, I wrote a paper describing the complete history of IT management & governance at my previous employer detailing the above story at length. That paper made a very happy professor, as he considered that I was absolutely spot on. Afterwards he started using me as an in-class assistant for the remainder of his course.

Anybody who is any good is going to have ideas,
and an enlightened organization will find a way to
accomodate them.

The ground rules where I work are pretty clear: we are expected to spend a bit of
time playing with things on the side. Some of these
have become products. We are
expected to refrain from hacking important servers, flooding the network with garbage and
similar misdeeds.
If we break something, we are expected to fix it. I have all sort of things hanging off the network,
have all sort of SDKs a

I worked as the regional it director of a financial services firm which dealt with stocks, bonds, and securities. This meant we fell under the regulatory umbrella of the National Association of Securities Dealers (among others). They are a quasi-governmental agency and have absolute power (no appeals) in their sphere.

The deal that made me lock down everything was this little policy the NASD has of fining IT staff directly. Not the company, not the department...me. Personally. Starting at $100,000 and going up for security or privacy breaches.

That'll make you think twice. Oh yeah, any publicly traded companies officer (C level) can be sent to JAIL for violating certain IT regulatory policies.

Most "powerusers" go by the creed "Tis better to beg for forgiveness, than to ask for permission." Case in point, my team runs a Fortune 100 company's storage environment. We're running about 1.2PB of EMC DMX and NetApp storage (not including VTL). If a department needs NAS for some project we have a easy webpage for them to go to, they fill it out with the sharename they'd like, and we automatically find them a filer and create a 100GB CIFS/NFS share for them. Already integrated with active directory and NIS. End user can specify who can see it by specifying a group such as.group and everyone in their dept can have read/write access to it. Or you could just specify a list of users.

Sounds pretty easy. It's backed up, regular hourly snapshots are taken. It's backed up to tape, firmware upgraded and when the lease on the filer is up, *WE* migrate all the data to another filer off hours and you continue on with your life. Anyhow...

Some PowerUser user decided he wanted to 'play IT'. And decided he wanted his own storage that he could limit who accessed. While we would have been more than happy to allocate him 100GB of storage. He proceeded to go out and build some linux box under his desk with some home-office grade disk enclosure. He then demanded that *WE* back it up to tape, and *WE* integrate it in with NIS/active directory. It should also be known that the few outlets in the cubes are not spec'd to have servers/arrays plugged into them but laptop/dock and monitor type equipment.

Long story short. Someone came along and walked off with the homeoffice disk array and all the data on it. I got to go to all the meetings and watch this asshat explain why he lost customer data.

Hey powerusers... how much privs do you need? You say you want to install whatever you want on your PC. Which btw you didn't purchase. You say you want to pick our the exact model of server your app runs on, but you don't want to be the one to stock the 97.56GB drives as replacements, nor do you want to carry a duty pager to swap out parts when they break at 2am.

Why stop there? Why not just ask for the admin password on the core routers. I'm sure your expansive knowledge of networking (and installing dd-wrt on your linksys does not make a BGP expert out of you) could provide invaluable when the DWDM gear is malfunctioning. We're upgrading to AIX6 shortly, maybe your vast experience in managing/installing mysql at home will help us optimize a 10TB DB/2 database. Please help us out, since you installed parallels on your mac, you can lend us some of your expertise in VMs when we consolidate two z990s into a z10.

You say you manage a 5TB nfs server at home? Please show us the wisdom of your ways as we try to consolidate 50 EMC DMX arrays so we can save on power and cooling.

When we fuck-up, an entire company and its' customers feel the pain. When you fuck up, you prevent us from doing our job as we clean up your mess.

Users should be given just enough privileges to do their job. This is why you do not have root on your server, you download pre-packaged software from the intranet, you do not have admin on the core routers, physical access to the datacenter and why we don't "tinker." You want to tinker, go work in your garage where you can tell your wife that you built a jumpstart server for the two linux boxes in your home media center and thump your chest. We support hundreds, thousands of users whom would rather spend their days focusing on doing their job.

OTOH, you'd be hard pressed to find a user that can get single-sign-on working across a heterogeneous network (hint: we have it working on Windows, Macs, Linux, *and* OpenBSD machines), or backing up 7TB of storage *nightly* (or heck, even providing 7TB of storage), containing virus outbreaks, and so on. There are plenty of IT departments that suck, and there are plenty that don't. Sometimes IT needs to give users some slack, but other times, IT needs to smack it down, hard. We've learned the hard way th